Secure software containers

ABSTRACT

A computer system that comprises a processor, a non-transitory memory, and a system application stored in the non-transitory memory. When executed by the processor, the application receives a request to create a software container, creates the container, generates a signature of the container, creates a container security token that comprises the signature and embeds the container security token in the container, and returns the container with the embedded container security token. The application receives a request to launch an application in the container, determines a confirmation signature of the container provided by the application launch request, compares the confirmation signature to the signature of the container security token in the container, determines that the confirmation signature and the signature of the container security token in the software container match, and responsive to determining the signatures match launches the application in the software container provided by the application launch request.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of and claims priority under 35 U.S.C.§ 119 to U.S. patent application Ser. No. 15/157,031, filed on May 17,2016, entitled “Secure Software Containers,” by Ronald R. Marquardt, etal., which is incorporated herein by reference in its entirety for allpurposes.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not applicable.

REFERENCE TO A MICROFICHE APPENDIX

Not applicable.

BACKGROUND

Software containers are execution frameworks that support independentexecution of applications on top of a single operating system. Softwarecontainers can provide significant execution efficiencies, relative totraditional virtualization layers, while still isolating applicationsand promoting dynamic scaling. A first application executing in a firstcontainer is separated from and unaware of a second applicationexecuting in a second container on the same host computer. Softwarecontainers may be provided as an operating system construct or object.Said in another way, software containers may be created and applicationslaunched for execution in the software containers through applicationprogramming interface (API) calls or system calls to the operatingsystem on a host computer.

SUMMARY

In an embodiment, a computer system is disclosed. The computer systemcomprises a processor, a non-transitory memory, and a system applicationstored in the non-transitory memory. When executed by the processor, thesystem application receives a request to create a software container,creates the software container, generates a signature of the softwarecontainer, creates a container security token that comprises thesignature, embeds the container security token in the softwarecontainer, and returns the software container with the embeddedcontainer security token. The system application further receives arequest to launch an application in the software container, where therequest comprises the software container, determines a confirmationsignature of the software container provided by the application launchrequest, compares the confirmation signature to the signature of thecontainer security token in the software container provided by theapplication launch request, determines that the confirmation signatureand the signature of the container security token in the softwarecontainer provided by the application launch request match, andresponsive to determining the signatures match launches the applicationin the software container provided by the application launch request.

In an embodiment, a method of providing an execution environment with asoftware container is disclosed. The method comprises creating asoftware container comprising a container security token by a systemapplication executing on a computer system, where the token comprises asignature of the software container and an identity of an applicationand receiving a request by the system application to launch anapplication in the software container that identifies the softwarecontainer and identifies the application. The method further comprisesdetermining a confirmation signature of the identified softwarecontainer by the system application, comparing the confirmationsignature to the signature in the container security token by the systemapplication, comparing the application identity provided in the requestto launch the application in the software container to the applicationidentity in the container security token by the system application, and,in response to determining that the confirmation signature matches thesignature in the container security token and to determining that theapplication identity provided in the request to launch the applicationmatches the application identity in the container security token,launching execution of the application in the software container by thesystem application.

In an embodiment, a method of providing a software service is disclosed.The method comprises executing a service application in a softwarecontainer on a computer system, where the service application provides asoftware service to client applications external to the computer system,receiving a service request from a client application to access thesoftware service provided by the service application, where the servicerequest comprises a service security token, validating the servicesecurity token by the service application, and, in response tovalidating the service security token, performing the software serviceassociated with the request from the client application by the serviceapplication.

These and other features will be more clearly understood from thefollowing detailed description taken in conjunction with theaccompanying drawings and claims.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure, referenceis now made to the following brief description, taken in connection withthe accompanying drawings and detailed description, wherein likereference numerals represent like parts.

FIG. 1 is a block diagram of a communication system according to anembodiment of the disclosure.

FIG. 2 is a block diagram of a software container according to anembodiment of the disclosure.

FIG. 3 is a block diagram of another communication system according toan embodiment of the disclosure.

FIG. 4 is a flow chart of a method according to an embodiment of thedisclosure.

FIG. 5 is a flow chart of another method according to an embodiment ofthe disclosure.

FIG. 6 is an illustration of a user equipment (UE) according to anembodiment of the disclosure.

FIG. 7 is a block diagram of a hardware architecture of a user equipmentaccording to an embodiment of the disclosure.

FIG. 8A is a block diagram of a software architecture of a userequipment according to an embodiment of the disclosure.

FIG. 8B is a block diagram of another software architecture of a userequipment according to an embodiment of the disclosure.

FIG. 9 is a block diagram of a computer system according to anembodiment of the disclosure.

DETAILED DESCRIPTION

It should be understood at the outset that although illustrativeimplementations of one or more embodiments are illustrated below, thedisclosed systems and methods may be implemented using any number oftechniques, whether currently known or not yet in existence. Thedisclosure should in no way be limited to the illustrativeimplementations, drawings, and techniques illustrated below, but may bemodified within the scope of the appended claims along with their fullscope of equivalents.

Software containers are used to provide an environment for executingapplications on a server computer or a host computer. More particularly,different software containers support independent execution environmentsfor applications executing on the same host computer, such that anapplication executing in a first container is unaware of anotherapplication executing in a second container on the same host computer.Software containers provide many of the advantages of virtualizationsupported by a hypervisor that creates virtual machines in whichseparate applications execute. The typical hypervisor supportedvirtualization involves a virtual operating system executing in avirtual machine provided by the hypervisor and an application executingin the context of the virtual operating system. System calls from theapplication are mapped from virtual operating systems by the virtualmachine to the actual operating system below the hypervisor or,alternatively, directly to machine instructions by the hypervisor. Theuse of the virtual operating system, however, is often associated withexecution inefficiencies. Software containers typically can avoid theseexecution inefficiencies while still providing the desiredinter-application isolation and elasticity of hypervisor drivenvirtualization.

The present disclosure teaches extending the software containerconstruct to incorporate beneficial security mechanisms. These securitymechanisms may be employed separately from each other, in someembodiments. Other embodiments may combine two or more of the securitymechanisms. The process of executing applications in software containersentail requesting a software container from the operating system andthen asking the operating system to launch an application in thepreviously obtained software container. This disclosure teaches buildinga security token at the same time the software container is created. Thesecurity token is built into or embedded in the software container. Inan embodiment, the security token may be encrypted or a portion of thesecurity token may be encrypted when it is created. When a request tolaunch an application in the previously created software container isreceived by the operating system, the security token is examined todetermine if the application launch request is to be granted. If thesecurity token does not validate for some reason, the application launchrequest is rejected.

The operating system may generate a signature that is uniquely orquasi-uniquely associated with a software container when it is created.This signature is built into the security token. When the operatingsystem executing on a host computer is requested to launch anapplication in a previously created software container, the operatingsystem examines the signature in the security token. If the signaturedoes not pass inspection, the launch request is rejected. The signaturemay be formed based on a checksum calculated over the softwarecontainer. The signature may be formed based on a hash value calculatedover the software container. Each software container may comprise one ormore container artifacts that the operating system relies upon toinstantiate a software container for execution. The signature may beformed based in part on calculating a checksum or hash value over thecontainer artifacts. When a request from a user is received, such as arequest from a remote workstation, to execute an identified applicationin a software container, the operating system may recalculate thesignature—e.g., determine a confirmation signature—and compare theconfirmation signature to the signature stored in the softwarecontainer. If the container has been tampered with, the confirmationsignature may not match the signature stored in the security token, andthe software container/application launch request may be rejected.

In an embodiment, a user request to create a software container mayidentify a specific application to be executed in the softwarecontainer. The identity of the application may also be stored in thesecurity token. The operating system may further validate the request toexecute an application in a created software container by comparing theidentity of the application provided in the launch request to theapplication identity stored in the security token. If the applicationidentities do not match, the operating system may reject the request tolaunch the application in the software container.

In an embodiment, the operating system may create a time-to-live valuewhen a software container is created and store the time-to-live value inthe security token. If a request is received to launch an application ina software container, the operating system checks the time-to-live valueand if out-of-date, the operating system may reject the request tolaunch the application in the software container. Thus, if the softwarecontainer is too old, it may not be used. This may be useful in avoidingmalware capturing and/or copying software containers and attempting touse them at a later date for malicious purposes. In an embodiment, theoperating system may periodically check the time-to-live of securitytokens of active software containers and terminate the applicationassociated with a software container having an expired time-to-livevalue in its security token. Alternatively, the operating system maypush a message to the application and/or to a user who requested theoperating system to launch the application in the subject softwarecontainer that provides an application programming interface (API) thatcan be used to extend the time-to-live value. In an embodiment, the timethreshold for allowing a request to launch an application in a softwarecontainer may be different from the time threshold for terminating asoftware container that has been executing an application for time. Forexample, the first time threshold may be 5 seconds while the second timethreshold may be 8 hours.

This disclosure further teaches extending an application programminginterface (API) construct to incorporate beneficial security mechanisms.These security mechanisms may be employed individually or incombination. A service application may execute in a software containerand provide software services to client applications via one or moreAPIs of the software container. The client application may request aservice security token associated with invoking one of the APIs of theservice application, for example requesting the service security tokenfrom a service token server. The service token server may first verifythat the subject client application is authorized to invoke therequested API of the service application, for example verifying that thesubject client application has registered to use the service applicationand has paid a subscription fee for access. The service token server maythen create a service security token that comprises one or more of anAPI signature, a client application identity, and an API time-to-livevalue. In an embodiment, the service security token may be encrypted.The service token server may then return a service API object thatembeds or comprises the service security token to the clientapplication. The API signature may be a unique or quasi-unique valuedetermined by the service token server based on the service API objectreturned to the client application, for example a checksum or a hashvalue. The client application sends a request to access the services ofthe service application that comprises the service API object. Theservice application validates the service security token, and if thetoken validates provides the requested service to the clientapplication.

It is appreciated that the security enhancements of the softwarecontainers construct may be combined in the same computer system withthe security enhancements of the application programming interfaceconstruct. These enhancements can be considered to be improvements tocomputer technology as they increase the inherent security of thecomputer systems involved and reduce the exposure of these computersystems to a variety of potential cyber-attacks.

Turning now to FIG. 1, a communication system 100 is described. In anembodiment, the system 100 comprises one or more work stations 102, anetwork 104, and one or more host computers 106. The work stations 102may be used to launch execution of applications on the host computers106. The communication system 100 may correspond to a private computingsystem within an enterprise or organization. Alternatively, thecommunication system 100 may involve autonomous, unrelated userslaunching applications on the host computers 106 provided by a thirdparty computing service company.

Each host computer 106 comprises a processor 108 and memory 110. Thememory 110 may comprise both non-transitory memory and transitorymemory. In an embodiment, a non-transitory portion of the memory 110 maystore an operating system 112. When the host computer 106 executes, itmay load the operating system 112 from a non-transitory portion ofmemory to a transitory portion of memory. The operating system 112 mayprovide system calls or application programming interface (API) callsthat support the creation of software containers 114 and that supportlaunching execution of an application 118 in the software container 114.In some contexts the operating system 112 may be referred to as a systemapplication or as one of a plurality of system applications. As taughtherein, when the operating system 112 creates the software container 114it further creates an associated security token 116 that is built intoor embedded in the software container 114.

Turning now to FIG. 2, further details of the software container 114 aredescribed. In an embodiment, a work station 102 may request theoperating system 112 to create a software container 114 for the workstation 102. The request is made via an application programminginterface or a system call provided by the operating system 112. Therequest may involve providing an identity of an application to belaunched in the software container 114. The operating system 112 maycreate the software container 114 a in an initial, inactive state.

The inactive software container 114 a comprises the security token 116and a variety of container artifacts 136 that the operating system 112may use to control and execute the container 114. For example, thecontainer artifacts 136 may comprise information about resourceallocations and/or resource size for use in initiating the softwarecontainer 114. For example, the container artifacts 136 may compriseconfiguration information for use in initiating the software container114. The security token 116 may comprise a signature 130, theapplication identity 132, and a time-to-live 134. In differentembodiments, the security token 116 may comprise only one of thesignature 130, the application identity 132, or the time-to-live 134.Alternatively, in an embodiment, the security token 116 may comprise twoof the signature 130, the application identity 132, or time-to-live 134or all three of these items.

The signature 130 may be calculated by the operating system 112 based onor over the inactive software container 114 a. The signature 130 maycomprise a checksum value, a hash value, or some other digital valuecalculated based on the inactive software container 114 a. The signature130 may be calculated over the container artifacts 136. The signature130 may be calculated over the application identity 132. The signature130 may be calculated over the container artifacts 136 and theapplication identity 132. The signature 130 may be calculated over thecontainer artifacts 136, the application identity 132, and thetime-to-live 134. The signature 130 may be calculated over anycombination of two of the container artifacts 136, the applicationidentity 132, and the time-to-live 134.

It is understood that the signature 130 is a value that is unique orquasi-unique to the specific inactive software container 114 a theoperating system 112 has created. As used herein, the term quasi-uniqueis used to indicate that the signature 130 may be created as a finitelength bit string and hence may represent only a finite number of uniquevalues. In infrequent instances, two different inactive softwarecontainers 114 a may be created with an identical signature 130—andhence the signature 130 may be said to be quasi-unique. In anembodiment, the security token 116 may be encrypted. In an embodiment,the signature 130 of the security token 116 alone may be encrypted.Alternatively, an embodiment, the entire security token 116 may beencrypted.

After creating the software container 114 a, the operating system 112returns the inactive software container 114 a to the requesting workstation 102. The work station 102 may then send a request to execute anapplication in the inactive software container 114 a to the operatingsystem 112 through an application launch system call. The requestcomprises the inactive software container 114 a and information forexecuting one or more applications in the inactive software container114 a. The information for executing comprises an identification of theone or more applications. The information may further comprise anaddress of an executable image of the application and/or applicationswhere the operating system 112 can fetch the application image orimages.

The operating system 112 performs security checks on the inactivesoftware container 114 a provided in the launch request. At a highlevel, the operating system 112 checks one or more of (A) has theinactive software container 114 a been altered, (B) does the applicationidentified in the launch request agree with the application identitystored in the security token 116, and/or (C) is the request timely.Failure to check-out for any of these checks may cause the operatingsystem 112 to reject the launch request. The operating system 112 mayverify that the inactive software container 114 a has not been alteredby calculating a confirmation signature based on and/or over theinactive software container 114 a and comparing the confirmationsignature to the signature 130 stored in the security token 116. If theydo not match, the inactive software container 114 a has likely beenaltered in some way, possibly altered by malware or an unauthorized workstation 102. The operating system 112 compares the identity of theapplication supplied in the application launch request to theapplication identity stored in the security token 116. If they do notmatch, the inactive software container 114 a may have been copied by anunauthorized user or application.

The operating system 112 may compare the time-to-live 134 to a currentsystem time of the host computer 106. It will be appreciated that thetime-to-live 134 may be implemented in a variety of different manners.The time-to-live 134 may designate a time at which the inactive softwarecontainer 114 a is to be considered expired or out-of-date. The time maybe designated in any time format, for example a number of secondselapsed from some conventional and understood epoch, such as midnightJan. 1, 1970. Alternatively, some other conventional and understoodepoch may be used. Alternatively, the time-to-live 134 may be set to atime at which the inactive software container 114 a is created. If theoperating system 112 determines that the inactive software container 114a is too old, the request to launch may be rejected, for example if thecurrent system time is later than the time-to-live 134 or if thedifference between the current system time and the time-to-live 134exceeds a first threshold (e.g., in the case where time-to-live 134records time of creation of the inactive software container 114 a).

If the checks performed by the operating system 112 on the securitytoken 116 are positive, the operating system 112 creates an activesoftware container 114 b that executes the application 118 in the activesoftware container 114 b. The operating system 112 or anotherapplication may periodically compare the time-to-live 134 of thesecurity token 116 in active software containers 114 b to determine ifthe time-to-live 134 is expired or if the difference between the currentsystem time and the time-to-live 134 exceeds a second threshold. If thetime-to-live 134 is deemed to be expired or too late, the operatingsystem 112 may terminate execution of the application 118 and thendestroy the active software container 114 b. Alternatively, theoperating system 112 may provide an application programming interfacefor use by the application 118 or the work station 102 to extend thetime-to-live 134. For example, the operating system 112 may prompt theapplication 118 to invoke an API provided by the operating system 112for use in extending the time-to-live 134.

In an embodiment, a daemon process associated with the operating system112 and executing on the host computer 106 outside of any softwarecontainer 114 may monitor and take action based on time-to-live 134values of active software containers 114 b associated with the subjecthost computer 106. For example, the daemon process may terminate anapplication 118 and destroy an active software container 114 b when thetime-to-live 134 is expired or instead prompt the application 118 toinvoke a system call to extend the time-to-live 134. Alternatively, acontroller process executing on a different server computer (not shown)may monitor and take action based on time-to-live 134 values of activesoftware containers 114 b associated with one or more host computers106. For example, the controller process may terminate an application118 and destroy an active software container 114 b when the time-to-live134 is expired or instead prompt the application 118 to invoke a systemcall to extend the time-to-live 134

Turning now to FIG. 3, a communication system 150 is described. In anembodiment, system 150 comprises a user equipment (UE) 152 thatcomprises a processor 154, a memory 156, and a radio transceiver 158.The memory 156 comprises a client application 160 that may be executedby the processor 154. The system 150 further comprises an enhanced nodeB (eNB) 162 that provides a wireless communication link to the UE 152and links the UE 152 to the network 104. The eNB 162 may be referred toas a base transceiver station (BTS) or a cell tower and may provide awireless communication link to the UE 152 according to one or more of along term evolution (LTE), a code division multiple access (CDMA), aglobal system for mobile communication (GSM), or worldwideinteroperability for microwave access (WiMAX) wireless communicationprotocol. The UE 152 may be a mobile phone, a smart phone, a personaldigital assistant (PDA), a media player, a wearable computer, a headsetcomputer, a laptop computer, a notebook computer, or a tablet computer.The system 150 may further comprise a UE 186 that communicates via awired communication link to the network 104. The UE 186 may be a desktopcomputer, a set-top box, a TV tuner, or other generally stationaryelectronic device.

The system 150 further comprises a service token server 164 thatexecutes a service token broker application 166 and manages a pluralityof service security tokens 168. The system 150 further comprises a hostcomputer 180 that executes a service application 184 in a softwarecontainer 182. It is understood that the system 150 comprises any numberof UEs 152, 186, eNBs 162, and host computers 180. The host computer 180may provide a plurality of concurrent software containers 182 in whichdifferent applications execute or in which independent but like (i.e.,based on same application image) applications execute.

In an embodiment, the UE 152, 186 may communicate with the service tokenserver 164 and with the host computer 180 via an end-to-end trustedcommunication link or channel. For example, at least portions of theclient application 160 may execute in a trusted security zone of the UE152 when communicating with the service token broker application 166executing on the service token server 164 and/or with the serviceapplication 184 executing in the software container 182 on the hostcomputer 180. The client application 160 may perform some on-deviceprocessing in the trusted security zone of the UE 152 and may store aservice security token 170 and/or a service API 178 in the trustedsecurity zone of the UE 152. Trusted security zones are discussedfurther hereinafter.

When executed by the processor 154, the client application 160 may senda request for a service security token 168 to the service token server164 via the eNB 162 and via the network 104. The request for the servicesecurity token 168 identifies a service API associated with the serviceapplication 184 that the UE 152 desires to invoke. The service tokenbroker application 166 first verifies that the UE 152 is authorized toinvoke the service API on the service application 184. For example, theservice token broker application 184 may determine that the UE 152 isauthorized to use the service application 184. For example, the servicetoken broker application 184 may determine if the UE 152 is registeredto use the subject service application 184 and/or if a user associatedwith the UE 152 has a service subscription associated with the serviceapplication 184 that is in good standing (i.e., paid-up or not inarrears).

If the UE 152 is deemed authorized to use the service application 184,the service token broker application 166 creates a service securitytoken 168 for the UE 152. The service security token 168 may compriseone or more of an API signature, a client identity, and an APItime-to-live. The service token broker application 166 stores a copy ofthe service security token 168 and sends a copy service security token170 to the UE 152 via the network 104 and the eNB 162. The copy servicesecurity token 170 comprises one or more of an API signature 172, aclient identity 174, and an API time-to-live 176. The service tokenbroker application 166 further sends a service API 178 to the UE 152,for example an API object that may be used to invoke the service API onthe service application 184.

The service token broker application 166 may create the API signature172 based on a hash or a checksum calculated over the service API 178and calculated over one or more of the client identity 174 and the APItime-to-live 176. The API signature 172 may further be based on anidentity of the UE 152, for example an IP address, an electronic serialnumber (ESN), a mobile subscriber identification (MSID), or some otheridentity. In an embodiment, the service security token 170 is encrypted.The client identity 174 identifies the client application 160 thatrequested the service security token 170. The client identity 174 mayfurther identify the UE 152, for example identifying an IP address, anESN, a MSID, or other identity of the UE 152. The API time-to-live 176may be a time at which the service security token 170 is deemedout-of-date or expired. The API time-to-live 176 may avoid malwarecopying the service security token 170 and invoking the serviceapplication 184 using the service security token 170 by spoofing theauthorized UE 152.

The UE 152 sends a request via the eNB 162 and the network 104 to theservice application 184 to have a software service performed on itsbehalf by the service application 184 executing in the softwarecontainer 182 on the host computer 180. The software service may beaccess to streaming content such as video or such as premium content.The software service may be access to an interactive application such asa gaming application or some other application. For example, the UE 152sends a message comprising the service API 178 invocation along with theservice security token 170. In an embodiment, the service API 178invocation includes the service security token 170 as a parameter of theinvocation.

The service application 184 examines the service security token 170received from the UE 152 and determines if it is valid or invalid. Ifthe service application 184 determines that the service security token170 is invalid, the service application 184 rejects the service API 178invocation. If the service application 184 determines that the servicesecurity token 170 is valid, the service application 184 performs therequested service API 178 invocation, for example providing streamingcontent or providing gaming services to the client application 160 onthe UE 152.

The service application 184 may perform at least part of theverification of the service security token 170 itself. The serviceapplication 184 may further delegate some of the verification of theservice security token 170 to the service token broker application 166.The service application 184 may decrypt the service security token 170if it was provided in an encrypted form by the service token brokerapplication 166 to the UE 152. The service application 184 may confirmthat the client identity 174 in the service token 170 agrees with anidentity of the client application 160 that may be provided in theservice API 178 or that may be included in the message in which theservice API 178 is embedded. If the client identity 174 does not agreewith the identity of the client application 160 provided in the serviceAPI 178 and/or included in the service API 178, the service application184 may reject the service API 178 invocation.

The service application 184 may calculate a confirmation signature overthe service API 178 received from the UE 152 and over one or moreportions of the service security token 170 (e.g., over the clientidentity 174 and/or the API time-to-live 176) and compare theconfirmation signature to the API signature 172 stored in the servicesecurity token 170 included in the service API 178 sent to the serviceapplication 184. If the signatures do not agree, the service application184 may reject the service API 178 invocation. The service application184 may compare the API time-to-live 176 to a system time and reject theservice API 178 invocation if the API time-to-live 176 is out-of-date orexpired, based on a predefined time threshold.

In an embodiment, the service security token 170 comprises a uniqueidentity or quasi-unique identity. The service application 184 mayfurther verify the service API 178 by communicating with the servicetoken broker application 166 to verify the authenticity of the servicesecurity token 170, for example by sending the unique identity orquasi-unique identity of the service security token 170 to the servicetoken broker application 166 to ask the service token broker application166 to confirm that it maintains the original service token 168. If theservice token broker application 166 does not confirm the match of theservice security token identity to a corresponding service token 168,the service application 184 may reject the service API 178 invocation.

In an embodiment, the service token broker application 166 may storeinformation in the service token 168 that is not included in the copiedservice security token 170, for example an identity of the UE 152 and/oran identity of a subscriber account associated with the serviceapplication 184. The service token broker application 166 may berequested by the service application 184 to confirm that the identity ofthe UE 152 and/or the subscriber associated with the service application184 agrees with the corresponding information stored in the servicetoken 168 maintained by the service token server 164 and not included inthe service security token 170. This may provide additional security anda further obstacle to a bogus device attempting to spoof the UE 152and/or to break the security mechanism of the service security token 170and the service API 178.

It is understood that the UE 186 may likewise interact with the servicetoken broker application 166 and the service application 184 insubstantially the same way as the UE 152, with the exception that the UE186 communicates with the network 104 via a wired link rather than witha wireless link via the eNB 162. In an embodiment, the UE 186 maycommunicate wirelessly with a short range radio transceiver, such as aWiFi access point or a Bluetooth® access point. The UE 186 may comprisea memory, a client application, a copy of the service security token,and a service API that are substantially similar to those discussedabove with reference to UE 152.

A trusted security zone provides chipsets with a hardware root of trust,a secure execution environment for applications, and secure access toperipherals. A hardware root of trust means the chipset should onlyexecute programs intended by the device manufacturer or vendor andresists software and physical attacks, and therefore remains trusted toprovide the intended level of security. The chipset architecture isdesigned to promote a programmable environment that allows theconfidentiality and integrity of assets to be protected from specificattacks. Trusted security zone capabilities are becoming features inboth wireless and fixed hardware architecture designs. Providing thetrusted security zone in the main mobile device chipset and protectingthe hardware root of trust removes the need for separate secure hardwareto authenticate the device or user. To ensure the integrity of theapplications requiring trusted data, such as a mobile financial servicesapplication, the trusted security zone also provides the secureexecution environment where only trusted applications can operate, safefrom attacks. Security is further promoted by restricting access ofnon-trusted applications to peripherals, such as data inputs and dataoutputs, while a trusted application is running in the secure executionenvironment. In an embodiment, the trusted security zone may beconceptualized as hardware assisted security.

A complete trusted execution environment (TEE) may be implementedthrough the use of the trusted security zone hardware and softwarearchitecture. The trusted execution environment is an executionenvironment that is parallel to the execution environment of the mainmobile device operating system. The trusted execution environment and/orthe trusted security zone may provide a base layer of functionalityand/or utilities for use of applications that may execute in the trustedsecurity zone. For example, in an embodiment, trust tokens may begenerated by the base layer of functionality and/or utilities of thetrusted execution environment and/or trusted security zone for use intrusted end-to-end communication links to document a continuity of trustof the communications. For more details on establishing trustedend-to-end communication links relying on hardware assisted security,see U.S. patent application Ser. No. 13/532,588, filed Jun. 25, 2012,entitled “End-to-end Trusted Communications Infrastructure,” by LeoMichael McRoberts, et al., which is hereby incorporated by reference inits entirety. Through standardization of application programminginterfaces (APIs), the trusted execution environment becomes a place towhich scalable deployment of secure services can be targeted. A devicewhich has a chipset that has a trusted execution environment on it mayexist in a trusted services environment, where devices in the trustedservices environment are trusted and protected against attacks. Thetrusted execution environment can be implemented on mobile phones andtablets as well as extending to other trusted devices such as personalcomputers, servers, sensors, medical devices, point-of-sale terminals,industrial automation, handheld terminals, automotive, etc.

The trusted security zone is implemented by partitioning all of thehardware and software resources of the mobile device into twopartitions: a secure partition and a normal partition. Placing sensitiveresources in the secure partition can protect against possible attackson those resources. For example, resources such as trusted softwareapplications may run in the secure partition and have access to hardwareperipherals such as a touchscreen or a secure location in memory. Lesssecure peripherals such as wireless radios may be disabled completelywhile the secure partition is being accessed, while other peripheralsmay only be accessed from the secure partition. While the securepartition is being accessed through the trusted execution environment,the main mobile operating system in the normal partition is suspended,and applications in the normal partition are prevented from accessingthe secure peripherals and data. This prevents corrupted applications ormalware applications from breaking the trust of the device.

The trusted security zone is implemented by partitioning the hardwareand software resources to exist in a secure subsystem which is notaccessible to components outside the secure subsystem. The trustedsecurity zone is built into the processor architecture at the time ofmanufacture through hardware logic present in the trusted security zonewhich enables a perimeter boundary between the secure partition and thenormal partition. The trusted security zone may only be manipulated bythose with the proper credential and, in an embodiment, may not be addedto the chip after it is manufactured. Software architecture to supportthe secure partition may be provided through a dedicated secure kernelrunning trusted applications. Trusted applications are independentsecure applications which can be accessed by normal applications throughan application programming interface in the trusted executionenvironment on a chipset that utilizes the trusted security zone.

In an embodiment, the normal partition applications run on a firstvirtual processor, and the secure partition applications run on a secondvirtual processor. Both virtual processors may run on a single physicalprocessor, executing in a time-sliced fashion, removing the need for adedicated physical security processor. Time-sliced execution comprisesswitching contexts between the two virtual processors to share processorresources based on tightly controlled mechanisms such as secure softwareinstructions or hardware exceptions. The context of the currentlyrunning virtual processor is saved, the context of the virtual processorbeing switched to is restored, and processing is restarted in therestored virtual processor. Time-sliced execution protects the trustedsecurity zone by stopping the execution of the normal partition whilethe secure partition is executing.

The two virtual processors context switch via a processor mode calledmonitor mode when changing the currently running virtual processor. Themechanisms by which the processor can enter monitor mode from the normalpartition are tightly controlled. The entry to monitor mode can betriggered by software executing a dedicated instruction, the SecureMonitor Call (SMC) instruction, or by a subset of the hardware exceptionmechanisms such as hardware interrupts, which can be configured to causethe processor to switch into monitor mode. The software that executeswithin monitor mode then saves the context of the running virtualprocessor and switches to the secure virtual processor.

The trusted security zone runs a separate operating system that is notaccessible to the device users. For security purposes, the trustedsecurity zone is not open to users for installing applications, whichmeans users do not have access to install applications in the trustedsecurity zone. This prevents corrupted applications or malwareapplications from executing powerful instructions reserved to thetrusted security zone and thus preserves the trust of the device. Thesecurity of the system is achieved at least in part by partitioning thehardware and software resources of the mobile phone so they exist in oneof two partitions, the secure partition for the security subsystem andthe normal partition for everything else. Placing the trusted securityzone in the secure partition and restricting access from the normalpartition protects against software and basic hardware attacks. Hardwarelogic ensures that no secure partition resources can be accessed by thenormal partition components or applications. A dedicated securepartition operating system runs in a virtual processor separate from thenormal partition operating system that likewise executes in its ownvirtual processor. Users may install applications on the mobile devicewhich may execute in the normal partition operating system describedabove. The trusted security zone runs a separate operating system forthe secure partition that is installed by the mobile device manufactureror vendor, and users are not able to install new applications in oralter the contents of the trusted security zone.

Turning now to FIG. 4, a method 200 is described. At block 202, a systemapplication executing on a computer system creates a software containercomprising a container security token, where the token comprises asignature of the software container and an identity of an application.The system application may be an operating system that executes on thecomputer system and provides an execution environment for otherapplications that execute on the computer system. As known by oneskilled in the art, operating systems generally provide access ofapplications to resources of the computer system, for example toprocessing cycles of a processor or central processing unit (CPU), tomemory, to input/output devices, to communication interfaces, and toother resources. The operating system may provide this access viaoperating system application programming interfaces (APIs) or via systemcalls. The operating system may provide higher level computer systemconstructs such as software containers and data structures. Thesignature may be calculated or determined over the software container bythe system application as described further above. The softwarecontainer initially created by the computer system may be referred to asan inactive software container and may comprise a data structure orobject that may be used by the system application to create an activesoftware container and to execute an application in the active softwarecontainer.

At block 204, the system application receives a request to launch anapplication in the software container that identifies the softwarecontainer and identifies the application. The request may comprise astructure or object that comprises an inactive software container thatcomprises the container security token. If the container security tokenis encrypted, the system application may decrypt the container securitytoken. At block 206, the system application determines a confirmationsignature of the identified software container. For example, the systemapplication determines the confirmation signature based on the softwarecontainer, for example over an inactive software container. Calculationand/or determination of signatures and confirmation signatures aredescribed further above. At block 208, the system application comparesthe confirmation signature to the signature in the container securitytoken.

At block 210, the system application compares the application identityprovided in the request to launch the application in the softwarecontainer to the application identity in the container security token.At block 212, in response to determining that the confirmation signaturematches the signature in the container security token and to determiningthat the application identity provided in the request to launch theapplication matches the application identity in the container securitytoken, the system application launches execution of the application inthe software container. If either the confirmation signature disagreeswith the signature stored in the container security token or theapplication identity provided in the request to launch or activate theapplication disagrees with the application identity stored in thecontainer security token, the system application may reject the requestto launch the application in the software container.

Turning now to FIG. 5, a method 230 is described. At block 232, aservice token broker application receives a request from the clientapplication for a service security token, where the request identifiesthe software service. At block 234, the service token broker applicationverifies that the client application is authorized to access thesoftware service. At block 236, the service token broker applicationcreates the service security token. In an embodiment, the service tokenbroker application encrypts the service security token. At block 238,the service token broker application sends the service security token tothe client application.

At block 240, a computer system executes a service application in asoftware container, where the service application provides a softwareservice to client applications external to the computer system. At block242, the computer system receives a service request from a clientapplication to access the software service provided by the serviceapplication, where the service request comprises a service securitytoken. In an embodiment, the service security token is encrypted, andthe service application decrypts the service security token. At block244, the service application validates the service security token. Atblock 246, in response to validating the service security token, theservice application performs the software service associated with therequest from the client application.

FIG. 6 depicts the user equipment (UE) 400, which is operable forimplementing aspects of the present disclosure, but the presentdisclosure should not be limited to these implementations. For example,the UE 152 described above may be implemented in this form. Thoughillustrated as a mobile phone, the UE 400 may take various formsincluding a wireless handset, a pager, a personal digital assistant(PDA), a gaming device, or a media player. The UE 400 includes atouchscreen display 402 having a touch-sensitive surface for input by auser. A small number of application icons 404 are illustrated within thetouch screen display 402. It is understood that in differentembodiments, any number of application icons 404 may be presented in thetouch screen display 402. In some embodiments of the UE 400, a user maybe able to download and install additional applications on the UE 400,and an icon associated with such downloaded and installed applicationsmay be added to the touch screen display 402 or to an alternativescreen. The UE 400 may have other components such as electro-mechanicalswitches, speakers, camera lenses, microphones, input and/or outputconnectors, and other components as are well known in the art. The UE400 may present options for the user to select, controls for the user toactuate, and/or cursors or other indicators for the user to direct. TheUE 400 may further accept data entry from the user, including numbers todial or various parameter values for configuring the operation of thehandset. The UE 400 may further execute one or more software or firmwareapplications in response to user commands. These applications mayconfigure the UE 400 to perform various customized functions in responseto user interaction. Additionally, the UE 400 may be programmed and/orconfigured over-the-air, for example from a wireless base station, awireless access point, or a peer UE 400. The UE 400 may execute a webbrowser application which enables the touch screen display 402 to show aweb page. The web page may be obtained via wireless communications witha base transceiver station, a wireless network access node, a peer UE400 or any other wireless communication network or system.

FIG. 7 shows a block diagram of the UE 400. While a variety of knowncomponents of handsets are depicted, in an embodiment a subset of thelisted components and/or additional components not listed may beincluded in the UE 400. The UE 400 includes a digital signal processor(DSP) 502 and a memory 504. As shown, the UE 400 may further include anantenna and front end unit 506, a radio frequency (RF) transceiver 508,a baseband processing unit 510, a microphone 512, an earpiece speaker514, a headset port 516, an input/output interface 518, a removablememory card 520, a universal serial bus (USB) port 522, an infrared port524, a vibrator 526, one or more electro-mechanical switches 528, atouch screen liquid crystal display (LCD) with a touch screen display530, a touch screen/LCD controller 532, a camera 534, a cameracontroller 536, and a global positioning system (GPS) receiver 538. Inan embodiment, the UE 400 may include another kind of display that doesnot provide a touch sensitive screen. In an embodiment, the UE 400 mayinclude both the touch screen display 530 and additional displaycomponent that does not provide a touch sensitive screen. In anembodiment, the DSP 502 may communicate directly with the memory 504without passing through the input/output interface 518. Additionally, inan embodiment, the UE 400 may comprise other peripheral devices thatprovide other functionality.

The DSP 502 or some other form of controller or central processing unitoperates to control the various components of the UE 400 in accordancewith embedded software or firmware stored in memory 504 or stored inmemory contained within the DSP 502 itself. In addition to the embeddedsoftware or firmware, the DSP 502 may execute other applications storedin the memory 504 or made available via information carrier media suchas portable data storage media like the removable memory card 520 or viawired or wireless network communications. The application software maycomprise a compiled set of machine-readable instructions that configurethe DSP 502 to provide the desired functionality, or the applicationsoftware may be high-level software instructions to be processed by aninterpreter or compiler to indirectly configure the DSP 502.

The DSP 502 may communicate with a wireless network via the analogbaseband processing unit 510. In some embodiments, the communication mayprovide Internet connectivity, enabling a user to gain access to contenton the Internet and to send and receive e-mail or text messages. Theinput/output interface 518 interconnects the DSP 502 and variousmemories and interfaces. The memory 504 and the removable memory card520 may provide software and data to configure the operation of the DSP502. Among the interfaces may be the USB port 522 and the infrared port524. The USB port 522 may enable the UE 400 to function as a peripheraldevice to exchange information with a personal computer or othercomputer system. The infrared port 524 and other optional ports such asa Bluetooth® interface or an IEEE 802.11 compliant wireless interfacemay enable the UE 400 to communicate wirelessly with other nearbyhandsets and/or wireless base stations. In an embodiment, the UE 400 maycomprise a near field communication (NFC) transceiver. The NFCtransceiver may be used to complete payment transactions withpoint-of-sale terminals or other communications exchanges. In anembodiment, the UE 400 may comprise a radio frequency identify (RFID)reader and/or writer device.

The switches 528 may couple to the DSP 502 via the input/outputinterface 518 to provide one mechanism for the user to provide input tothe UE 400. Alternatively, one or more of the switches 528 may becoupled to a motherboard of the UE 400 and/or to components of the UE400 via a different path (e.g., not via the input/output interface 518),for example coupled to a power control circuit (power button) of the UE400. The touch screen display 530 is another input mechanism, whichfurther displays text and/or graphics to the user. The touch screen LCDcontroller 532 couples the DSP 502 to the touch screen display 530. TheGPS receiver 538 is coupled to the DSP 502 to decode global positioningsystem signals, thereby enabling the UE 400 to determine its position.

FIG. 8A illustrates a software environment 602 that may be implementedby the DSP 502. The DSP 502 executes operating system software 604 thatprovides a platform from which the rest of the software operates. Theoperating system software 604 may provide a variety of drivers for thehandset hardware with standardized interfaces that are accessible toapplication software. The operating system software 604 may be coupledto and interact with application management services (AMS) 606 thattransfer control between applications running on the UE 400. Also shownin FIG. 8A are a web browser application 608, a media player application610, and JAVA applets 612. The web browser application 608 may beexecuted by the UE 400 to browse content and/or the Internet, forexample when the UE 400 is coupled to a network via a wireless link. Theweb browser application 608 may permit a user to enter information intoforms and select links to retrieve and view web pages. The media playerapplication 610 may be executed by the UE 400 to play audio oraudiovisual media. The JAVA applets 612 may be executed by the UE 400 toprovide a variety of functionality including games, utilities, and otherfunctionality.

FIG. 8B illustrates an alternative software environment 620 that may beimplemented by the DSP 502. The DSP 502 executes operating system kernel(OS kernel) 628 and an execution runtime 630. The DSP 502 executesapplications 622 that may execute in the execution runtime 630 and mayrely upon services provided by the application framework 624.Applications 622 and the application framework 624 may rely uponfunctionality provided via the libraries 626.

FIG. 9 illustrates a computer system 380 suitable for implementing oneor more embodiments disclosed herein. For example, the work stations102, the host computers 106, the service token server 164, and the hostcomputer 180 may be implemented as computer systems in a form similar tothe computer system 380. The computer system 380 includes a processor382 (which may be referred to as a central processor unit or CPU) thatis in communication with memory devices including secondary storage 384,read only memory (ROM) 386, random access memory (RAM) 388, input/output(I/O) devices 390, and network connectivity devices 392. The processor382 may be implemented as one or more CPU chips.

It is understood that by programming and/or loading executableinstructions onto the computer system 380, at least one of the CPU 382,the RAM 388, and the ROM 386 are changed, transforming the computersystem 380 in part into a particular machine or apparatus having thenovel functionality taught by the present disclosure. It is fundamentalto the electrical engineering and software engineering arts thatfunctionality that can be implemented by loading executable softwareinto a computer can be converted to a hardware implementation bywell-known design rules. Decisions between implementing a concept insoftware versus hardware typically hinge on considerations of stabilityof the design and numbers of units to be produced rather than any issuesinvolved in translating from the software domain to the hardware domain.Generally, a design that is still subject to frequent change may bepreferred to be implemented in software, because re-spinning a hardwareimplementation is more expensive than re-spinning a software design.Generally, a design that is stable that will be produced in large volumemay be preferred to be implemented in hardware, for example in anapplication specific integrated circuit (ASIC), because for largeproduction runs the hardware implementation may be less expensive thanthe software implementation. Often a design may be developed and testedin a software form and later transformed, by well-known design rules, toan equivalent hardware implementation in an application specificintegrated circuit that hardwires the instructions of the software. Inthe same manner as a machine controlled by a new ASIC is a particularmachine or apparatus, likewise a computer that has been programmedand/or loaded with executable instructions may be viewed as a particularmachine or apparatus.

Additionally, after the system 380 is turned on or booted, the CPU 382may execute a computer program or application. For example, the CPU 382may execute software or firmware stored in the ROM 386 or stored in theRAM 388. In some cases, on boot and/or when the application isinitiated, the CPU 382 may copy the application or portions of theapplication from the secondary storage 384 to the RAM 388 or to memoryspace within the CPU 382 itself, and the CPU 382 may then executeinstructions that the application is comprised of. In some cases, theCPU 382 may copy the application or portions of the application frommemory accessed via the network connectivity devices 392 or via the I/Odevices 390 to the RAM 388 or to memory space within the CPU 382, andthe CPU 382 may then execute instructions that the application iscomprised of. During execution, an application may load instructionsinto the CPU 382, for example load some of the instructions of theapplication into a cache of the CPU 382. In some contexts, anapplication that is executed may be said to configure the CPU 382 to dosomething, e.g., to configure the CPU 382 to perform the function orfunctions promoted by the subject application. When the CPU 382 isconfigured in this way by the application, the CPU 382 becomes aspecific purpose computer or a specific purpose machine.

The secondary storage 384 is typically comprised of one or more diskdrives or tape drives and is used for non-volatile storage of data andas an over-flow data storage device if RAM 388 is not large enough tohold all working data. Secondary storage 384 may be used to storeprograms which are loaded into RAM 388 when such programs are selectedfor execution. The ROM 386 is used to store instructions and perhapsdata which are read during program execution. ROM 386 is a non-volatilememory device which typically has a small memory capacity relative tothe larger memory capacity of secondary storage 384. The RAM 388 is usedto store volatile data and perhaps to store instructions. Access to bothROM 386 and RAM 388 is typically faster than to secondary storage 384.The secondary storage 384, the RAM 388, and/or the ROM 386 may bereferred to in some contexts as computer readable storage media and/ornon-transitory computer readable media.

I/O devices 390 may include printers, video monitors, liquid crystaldisplays (LCDs), touch screen displays, keyboards, keypads, switches,dials, mice, track balls, voice recognizers, card readers, paper tapereaders, or other well-known input devices.

The network connectivity devices 392 may take the form of modems, modembanks, Ethernet cards, universal serial bus (USB) interface cards,serial interfaces, token ring cards, fiber distributed data interface(FDDI) cards, wireless local area network (WLAN) cards, radiotransceiver cards that promote radio communications using protocols suchas code division multiple access (CDMA), global system for mobilecommunications (GSM), long-term evolution (LTE), worldwideinteroperability for microwave access (WiMAX), near field communications(NFC), radio frequency identity (RFID), and/or other air interfaceprotocol radio transceiver cards, and other well-known network devices.These network connectivity devices 392 may enable the processor 382 tocommunicate with the Internet or one or more intranets. With such anetwork connection, it is contemplated that the processor 382 mightreceive information from the network, or might output information to thenetwork in the course of performing the above-described method steps.Such information, which is often represented as a sequence ofinstructions to be executed using processor 382, may be received fromand outputted to the network, for example, in the form of a computerdata signal embodied in a carrier wave.

Such information, which may include data or instructions to be executedusing processor 382 for example, may be received from and outputted tothe network, for example, in the form of a computer data baseband signalor signal embodied in a carrier wave. The baseband signal or signalembedded in the carrier wave, or other types of signals currently usedor hereafter developed, may be generated according to several methodswell-known to one skilled in the art. The baseband signal and/or signalembedded in the carrier wave may be referred to in some contexts as atransitory signal.

The processor 382 executes instructions, codes, computer programs,scripts which it accesses from hard disk, floppy disk, optical disk(these various disk based systems may all be considered secondarystorage 384), flash drive, ROM 386, RAM 388, or the network connectivitydevices 392. While only one processor 382 is shown, multiple processorsmay be present. Thus, while instructions may be discussed as executed bya processor, the instructions may be executed simultaneously, serially,or otherwise executed by one or multiple processors. Instructions,codes, computer programs, scripts, and/or data that may be accessed fromthe secondary storage 384, for example, hard drives, floppy disks,optical disks, and/or other device, the ROM 386, and/or the RAM 388 maybe referred to in some contexts as non-transitory instructions and/ornon-transitory information.

In an embodiment, the computer system 380 may comprise two or morecomputers in communication with each other that collaborate to perform atask. For example, but not by way of limitation, an application may bepartitioned in such a way as to permit concurrent and/or parallelprocessing of the instructions of the application. Alternatively, thedata processed by the application may be partitioned in such a way as topermit concurrent and/or parallel processing of different portions of adata set by the two or more computers. In an embodiment, virtualizationsoftware may be employed by the computer system 380 to provide thefunctionality of a number of servers that is not directly bound to thenumber of computers in the computer system 380. For example,virtualization software may provide twenty virtual servers on fourphysical computers. In an embodiment, the functionality disclosed abovemay be provided by executing the application and/or applications in acloud computing environment. Cloud computing may comprise providingcomputing services via a network connection using dynamically scalablecomputing resources. Cloud computing may be supported, at least in part,by virtualization software. A cloud computing environment may beestablished by an enterprise and/or may be hired on an as-needed basisfrom a third party provider. Some cloud computing environments maycomprise cloud computing resources owned and operated by the enterpriseas well as cloud computing resources hired and/or leased from a thirdparty provider.

In an embodiment, some or all of the functionality disclosed above maybe provided as a computer program product. The computer program productmay comprise one or more computer readable storage medium havingcomputer usable program code embodied therein to implement thefunctionality disclosed above. The computer program product may comprisedata structures, executable instructions, and other computer usableprogram code. The computer program product may be embodied in removablecomputer storage media and/or non-removable computer storage media. Theremovable computer readable storage medium may comprise, withoutlimitation, a paper tape, a magnetic tape, magnetic disk, an opticaldisk, a solid state memory chip, for example analog magnetic tape,compact disk read only memory (CD-ROM) disks, floppy disks, jump drives,digital cards, multimedia cards, and others. The computer programproduct may be suitable for loading, by the computer system 380, atleast portions of the contents of the computer program product to thesecondary storage 384, to the ROM 386, to the RAM 388, and/or to othernon-volatile memory and volatile memory of the computer system 380. Theprocessor 382 may process the executable instructions and/or datastructures in part by directly accessing the computer program product,for example by reading from a CD-ROM disk inserted into a disk driveperipheral of the computer system 380. Alternatively, the processor 382may process the executable instructions and/or data structures byremotely accessing the computer program product, for example bydownloading the executable instructions and/or data structures from aremote server through the network connectivity devices 392. The computerprogram product may comprise instructions that promote the loadingand/or copying of data, data structures, files, and/or executableinstructions to the secondary storage 384, to the ROM 386, to the RAM388, and/or to other non-volatile memory and volatile memory of thecomputer system 380.

In some contexts, the secondary storage 384, the ROM 386, and the RAM388 may be referred to as a non-transitory computer readable medium or acomputer readable storage media. A dynamic RAM embodiment of the RAM388, likewise, may be referred to as a non-transitory computer readablemedium in that while the dynamic RAM receives electrical power and isoperated in accordance with its design, for example during a period oftime during which the computer system 380 is turned on and operational,the dynamic RAM stores information that is written to it. Similarly, theprocessor 382 may comprise an internal RAM, an internal ROM, a cachememory, and/or other internal non-transitory storage blocks, sections,or components that may be referred to in some contexts as non-transitorycomputer readable media or computer readable storage media.

While several embodiments have been provided in the present disclosure,it should be understood that the disclosed systems and methods may beembodied in many other specific forms without departing from the spiritor scope of the present disclosure. The present examples are to beconsidered as illustrative and not restrictive, and the intention is notto be limited to the details given herein. For example, the variouselements or components may be combined or integrated in another systemor certain features may be omitted or not implemented.

Also, techniques, systems, subsystems, and methods described andillustrated in the various embodiments as discrete or separate may becombined or integrated with other systems, modules, techniques, ormethods without departing from the scope of the present disclosure.Other items shown or discussed as directly coupled or communicating witheach other may be indirectly coupled or communicating through someinterface, device, or intermediate component, whether electrically,mechanically, or otherwise. Other examples of changes, substitutions,and alterations are ascertainable by one skilled in the art and could bemade without departing from the spirit and scope disclosed herein.

What is claimed is:
 1. A method of providing a software service,comprising: executing a service application in a software container on acomputer system, where the service application provides a softwareservice to client applications external to the computer system;receiving a service request from a client application to access thesoftware service provided by the service application, where the servicerequest comprises a service security token and a service applicationprogramming interface (API), and wherein the service security tokencomprises a client application identity; calculating a confirmationsignature over the service API in the service request by the serviceapplication; comparing the confirmation signature to an API signaturefrom the service security token included in the service request by theservice application; validating the service security token by theservice application, wherein the validating comprises confirming thatthe confirmation signature matches the API signature stored in theservice security token included in the service request and confirmingthat the client application identity in the service security tokenmatches an identity of the client application provided in the serviceAPI or included in the service request; and in response to validatingthe service security token, performing the software service associatedwith the request from the client application by the service application.2. The method of claim 1, further comprising: receiving a request fromthe client application for the service security token by a service tokenbroker application executing on a computer system, where the requestidentifies the software service; verifying by the service token brokerapplication that the client application is authorized to access thesoftware service; creating the service security token by the servicetoken broker application; and sending the service security token to theclient application by the service token broker application.
 3. Themethod of claim 2, wherein the service security token is encrypted bythe service token broker application and validating the service securitytoken by the service application comprises decrypting the servicesecurity token.
 4. The method of claim 2, wherein the request for theservice security token further comprises a request for the service API,and wherein the service security token comprises the API signaturecalculated over the service API by the service token broker application.5. The method of claim 4, wherein the service application rejects theservice request from the client application if the API signature in theservice security token does not match the confirmation signature.
 6. Themethod of claim 2, wherein the service security token comprises atime-to-live, further comprising the service application comparing thetime-to-live in the service security token to a current system time andrejects the service request from the client application if thetime-to-live in the service security token exceeds the current systemtime.
 7. The method of claim 1, wherein the service security tokenfurther comprises a time-to-live value.
 8. The method of claim 7,further comprising receiving a request from the client application forthe service security token by a service token broker applicationexecuting on a computer system, where the request identifies thesoftware service and comprises a request for the service API.
 9. Themethod of claim 1, wherein the API signature is created by the servicetoken broker application based on a hash or a checksum calculated overthe service API.
 10. The method of claim 7, wherein the API signature iscreated by the service token broker application based on a hash or achecksum calculated over the service API and calculated over one or moreof the client application identity or the time-to-live value.
 11. Themethod of claim 7, wherein the confirmation signature is calculated overthe service API and over one or more of the client application identityor the time-to-live value.
 12. The method of claim 7, further comprisingcomparing the time-to-live value to a current system time by the serviceapplication, wherein the validating further comprises determining thatthe time-to-live value is within a predefined threshold time to thecurrent system time.
 13. The method of claim 2, wherein the clientapplication executes on a user equipment (UE), and wherein verifyingthat the client application is authorized to access the software servicecomprises at least one of determining that UE is registered to use theservice application or determining that a service subscription of the UEassociated with the service application is in good standing.
 14. Themethod of claim 2, further comprising storing a copy of the servicesecurity token by the service token broker application, wherein thevalidating further comprises sending an identity of the service securitytoken by the service application to the service token broker applicationand receiving by the service application confirmation from the servicetoken broker application that the identity of the service token matchesa corresponding stored service security token.
 15. The method of claim1, wherein the software service is access to streaming content.
 16. Themethod of claim 1, wherein the software service is access to aninteractive application.